Web Application Firewall (WAF) provides security reports for the domain names that you add to WAF. The security reports contain the protection results from all protection modules. The protection modules include web security, bot management, and access control and throttling. You can analyze the security of your business based on the security reports.

Prerequisites

  • Your website is added to WAF. For more information, see Add websites.
  • Your websites are protected by WAF.

    By default, after you add a domain name to WAF, the Protection Rules Engine and HTTP Flood Protection features are enabled. You must manually enable the other features. For more information, see Overview.

Go to the Security Report page

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, click Security Report.
  4. On the Security Report page, view security reports on the following tabs: Web Security, Bot Management, and Access Control/Throttling.

View security reports on the Web Security tab

The Web Security tab displays the protection results that are generated by the following features: Web Intrusion Prevention, Data Leakage Prevention, Account Security, and Positive Security Model. You can click the tab of a specific feature to view the protection results of that feature.
  • Web Intrusion Prevention: displays all web application attacks that are blocked by WAF. This tab consists of two sections: attack statistics and attack details. Section 1 in the following figure shows attack statistics, and Section 2 in the following figure shows attack details. You can search for protection results based on a domain name and a time range. Web Security tab
    • The attack statistics section displays Attack Type Distribution, Top 5 Attack IP Addresses, and Top 5 Attack Regions.
    • The attack details section displays the following information: Attack IP, Region, Time Attacked, Attack Type, Attacked URL, Method, Parameter, Rule Action, Rule ID, and Attack Probability.
      You can search for protection results based on the following fields:
      • Protection feature: Regular Protection and Deep learning
      • Attack type: SQL injection, XSS, Code execution, CRLF, Local file inclusion, Remote file inclusion, webshell, CSRF, Attacks Triggering Custom Rules, and Other
      • Attack IP address
      • Protection rule ID
      You can perform the following operations on an attack record:
      • Find the attack record and click View Details in the Actions column to go to the Attack Detail panel. Attack Detail panel
      • If you confirm that the attack record contains a normal request, click Ignore False Positives in the Actions column.

        After you click Ignore False Positives, WAF generates a whitelist rule for web intrusion prevention based on the characteristics of the attack record. Then, web intrusion prevention does not detect requests with the same characteristics. In the Create Rule dialog box, specify the Rule Name parameter for the whitelist rule and click Save.

        Note In rare cases, a request is blocked because multiple protection rules are triggered at the same time. However, the whitelist rule that is generated after you click Ignore False Positives allows requests with the same characteristics to skip only a specific protection rule. In this case, you can manually reconfigure the IDs of Specific Rules parameter in the whitelist rule and add the IDs of the other protection rules that you want to skip. You also need to contact customer service in the DingTalk group or submit a ticket to report the false positive.
        Ignore False Positives

        After the whitelist rule is created, the whitelist rule is automatically enabled. You can query, edit, and delete existing rules on the Web Intrusion Prevention - Whitelisting page. For more information, see Configure a whitelist for Web Intrusion Prevention.

    For more information about how to configure web intrusion prevention, see the following topics:
  • Data Leakage Prevention: displays the web requests that trigger rules of data leak prevention. The following information is displayed: Attack IP, Region, Time Attacked, Attacked URL, Method, Parameter, Rule Action, Rule ID, and Attack Probability. You can search for protection results based on a domain name and a time range.

    You can find a web request and click View Details in the Actions column to go to the Attack Detail panel.

    For more information about how to configure data leak prevention, see Configure data leakage prevention.

  • Account Security: displays the risk events that occur at a specific endpoint. The endpoint is configured in account security. The following information is displayed: Domain, Endpoint, Malicious Requests Occurred During, Blocked Requests/Total Requests, and Alert Triggered By. You can search for protection results based on a domain name, an endpoint, and a time range.

    For more information about how to configure account security, see Configure account security.

  • Positive Security Model: displays web application attacks that trigger protection rules. The protection rules are automatically generated by the positive security model. The following information is displayed: Attack IP, Region, Time Attacked, Attacked URL, Method, Rule Action, Rule ID, and Attack Probability. You can search for protection results based on a domain name and a time range.

    You can find a web application attack and click View Details in the Actions column to go to the Attack Detail panel.

    For more information about how to configure the positive security model, see Configure the positive security model.

View security reports on the Bot Management tab

The Bot Management tab displays the monitoring data of the crawler requests to websites. This tab also displays the protection results that are generated based on anti-crawler rules. In the upper-left corner of the tab, you can select a domain name and specify a time range to search for protection results. WAF provides an independent security report for each scenario that you configure by using the scenario-specific configuration feature.
  • The Bot Management tab consists of Overview of Protection Effects and Scenario-specific Protection Effect. Overview of Protection Effects displays the trends in the total number of requests, the number of requests that are identified as crawler requests, and the number of crawler requests that trigger different protection rules.
  • indicates the number of requests that are identified as crawler requests based on multi-dimensional traffic characteristics. This allows you to view the protective effects of anti-crawler rules. If the number of blocked requests is much smaller than that of requests that are identified as crawler requests, you must modify the anti-crawler rules to improve the protective effects. If the number of blocked requests is close to that of requests that are identified as crawler requests, the protective effects are considered satisfied.
  • indicates the number of requests that match anti-crawler rules in Monitor mode. If you set the protection mode to Block, the requests are blocked, or the clients are required to pass slider CAPTCHA verification.
  • indicates the number of requests that match anti-crawler rules in Block mode.

View security reports on the Access Control/Throttling tab

The Access Control/Throttling tab displays web requests that trigger the protection rules that you configure in HTTP Flood Protection, Scan Protection, and Access Control. You can search for protection results based on a domain name and a time range. You can also query logs with a few clicks
  • HTTP Flood Protection: displays the trend of HTTP flood protection. The following information is displayed: Total QPS, Alerts on Custom Rule Hit, Blocking on Custom Rule Hit, and Blocking on System Rule Hit. This tab also displays No. of matches for different rule types. The rule types include Alerts on Custom Rule Hit, Blocking on Custom Rule Hit, and Blocking on System Rule Hit.HTTP Flood Protection tab
    You can click the value of No. of matches for a rule type to go to the Log Service page. On the page that appears, the system provides the log query statements related to HTTP flood protection. This facilitates log queries. For more information, see Enable log query. HTTP flood protection logs

    For more information about how to configure HTTP flood protection, see Configure HTTP flood protection.

    For more information about how to customize HTTP flood protection rules, see Create a custom protection policy.

  • Scan Protection: displays the trend of scan protection. The following information is displayed: Total QPS, Directory Traversal Protection, Collaborative Protection, High-frequency Web Attack Protection, and Scan Tool-based Blocking. This tab also displays No. of matches for different rule types. The rule types include Directory Traversal Protection, Collaborative Protection, High-frequency Web Attack Protection, and Scan Tool-based Blocking.Scan Protection tab
    You can click the value of No. of matches for a rule type to go to the Log Service page. On the page that appears, the system provides the log query statements related to scan protection. This facilitates log queries. For more information, see Enable log query. Scan protection logs

    For more information about how to configure scan protection, see Configure scan protection.

  • Access Control: displays the trend of access control. The following information is displayed: Total QPS, Blocking by ACL Policy, Alerts by ACL Policy, and Blocking by Blacklisting. This tab also displays the number of times that custom rules are matched. Access Control tab
    You can click the ID of a custom rule. In the Edit Rule dialog box, you can view and modify the configuration of this custom rule. For more information, see Create a custom protection policy. Edit Rule dialog box
    You can click the value of No. of matches for a custom rule to go to the Log Service page. On the page that appears, the system provides the log query statements related to access control. This facilitates log queries. For more information, see Enable log query. Access control logs

    For more information about how to configure access control, see Create a custom protection policy.

    For more information about how to configure an IP address blacklist, see Configure a blacklist.